Why does ZWS appear to run as 'root' under HP-UX?

On HP-UX, userspace utilities such as top or ps report that ZWS is running as root even though it has been configured to run as different user.

# ps -ef | grep zeus.web
root 16423 16284  1 21:34:08 pts/ta    0:00 grep zeus.web
root 17613 17609  0 22:15:51 ?         0:00 /space/cbuckley/zeus/web/bin/zeus.web
root 17609     1 18 22:15:51 ?         0:00 /space/cbuckley/zeus/web/bin/zeus.web
root 17612 17609  0 22:15:51 ?         0:00 /space/cbuckley/zeus/web/bin/zeus.web
 

It would appear from this output that ZWS is running as root. Clearly, this has significant security implications. However, the child processes (17612 & 17613) are actually running as a user with a UID of 1596, rather than one of 0 which we would equate with root

HP-UX is, correctly, reporting the real GID/UID zeus.web is running as. However, we rely on downgrading ZWS' child process(es) upon start-up to those of an effective permission referred to above, HP-UX's ps utility is outputting the real permissions, which unfortunately serves to confuse the security conscious systems administrator.

The important question is we need to ask is, 'How can I prove that my child process'(remember, the parent zeus.web process will always run as root) are running as the GID/UID specified in $ZEUSHOME/web/global.cfg?"

Let's turn to C to help us...

Here's the source code[1]:

 
#include <sys/types.h>
#include <sys/param.h>
#include <sys/pstat.h>
#include <stdio.h>
#include <stdlib.h>
 
int main(int argc, char **argv)
{
   struct pst_status pst;
   pid_t  pid=0;
   int    count=0;
 
   /* Assume pid to check is passed in as first arg...*/
   pid=(pid_t) atoi(argv[1]);
 
   /* Get information about a particular pid-- this is a bit
   ** strange, but you can set the third parameter (elemcount)
   ** to 0 and set the last parameter (index) to the pid you
   ** want information about and it will fill in info for that
   ** process only.  This same call, with different parms can
   ** get you the info for all executing processes on the system.
   */
   count = pstat_getproc(&pst, sizeof(struct pst_status), 0, pid);
 
   switch (count)
   {
           case -1:  perror("pstat_getproc()");
                     break;
           case 0 :  fprintf(stderr,"No such pid: %d\n",pid);
                     break;
           default:  /* Now that you have the uid values, you could use
                     ** a call to getpwuid to get the password structure
                     ** so that you could print out the user name here,
                     ** but I am not going into that in this example.
                     */
                     fprintf(stdout,"EUID = %ld RUID = %ld EGID = %ld\n",
                             pst.pst_euid, pst.pst_uid, pst.pst_egid);
                     break;
   }
   return(0);
 
}

Let's compile!

/usr/local/bin/gcc pstat.c -o pstat

Now we have a pstat binary. We can use this program to satisfy ourselves that ZWS is running with the correct permissions:

 
bash# ./pstat 17609
EUID = 0 RUID = 0 EGID = 0

This is the parent process running as root

 
bash# ./pstat 17612
EUID = 1177 RUID = 0 EGID = 1596

 
bash# ./pstat 17613
EUID = 1177 RUID = 0 EGID = 1596

These are the zeus.web child processes running with an EGID of 1596.

[1]: Original Author L. Spells 17/3/98.